Configuring Token exchange and NativeApp SSO
Overview
OAuth2.0 Token Exchange enables client applications to request and obtain security tokens (such as access tokens) from an authorization server acting as a Security Token Service (STS).
Configuring provider.yml
- The definition configuration defines a new grant_type
urn:ietf:params:oauth:grant-type:token-exchange.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
version: 24.08
logging:
level: debug
definition:
id: 1
name: OIDC Definition
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:ietf:params:oauth:grant-type:token-exchange
pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID.
post_mappingrule_id: isvaop_posttoken
base_url: https://isvaop.ibm.com:445/isvaop
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS256 # Signing algorithm for ID token generated.
signing_keystore: isvaop_signing # Signing keystore name.
signing_keylabel: jwtsigning # Signing key label.
attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml
surname: surname
server:
ssl:
key: ks:isvaop_keys/httpserverkey
certificate: ks:isvaop_keys/httpservercert
jwks:
signing_keystore: isvaop_signing
secrets:
obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
enc_key: "@keys/private.pem"
Configuring mapping rule
- A new mapping rule called idmap.js needs to be created.
- This mapping rule can be used to validate the
subjectorsubof the incoming token during token exchange. - Validation can be done by contacting an LDAP to check for the existence of the
subjectorsub.
/**
* Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
*/
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
IDMappingExtUtils.traceString("Entering idmap mapping rule")
IDMappingExtUtils.traceString("sub : " + stsuu.getPrincipalName());
let sub = stsuu.getPrincipalName();
IDMappingExtUtils.traceString("iss: " + stsuu.getAttributeContainer().getAttributeValueByName("iss"));
IDMappingExtUtils.traceString("exp: " + stsuu.getAttributeContainer().getAttributeValueByName("exp"));
//Initializing an ldap connection to search for the sub
var userLookupHelper = new UserLookupHelper("ldap_test_cfg_01");
IDMappingExtUtils.traceString("sub validation for : " + sub);
if(userLookupHelper.isReady()){
var user = userLookupHelper.getUser(sub);
if(user.getId() == null){
IDMappingExtUtils.traceString("sub validation failed for : " + sub);
}
else{
IDMappingExtUtils.traceString("sub validation succeded for : " + sub);
}
}
IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());
Configuring storage.yml
- Based on the above mapping rule, the LDAP connection is referenced by the UserLookupHelper using
ldap_connection. - Update the
ldapcfgconfiguration and the LDAP connection details instorage.yml.
...
server_connections: # Server connections
- name: ldap_srvconn # Connection name
type: ldap # Connection type
hosts: # List of host information (IP and port)
- hostname: openldap # Server's hostname
hostport: 636 # Server's host port
credential: # Credential information to connect to the host.
bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection.
bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs="
# Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
ssl:
certificate: # The SSL connection certificate array.
- ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore.
disable_hostname_verification: false # The SSL connection validates the hostname.
conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
max_pool_size: 50 # Maximum connection pool size.
connect_timeout: 3 # Connect timeout, in seconds.
aged_timeout: 5 # Aged timeout, in seconds.
ldapcfg:
- name: ldap_test_cfg_01
scope: subtree
user_object_classes: top,Person,organizationalPerson,inetOrgPerson
filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
selector: objectClass,cn,sn,givenName,userPassword
srv_conn: ldap_srvconn
attribute: uid
baseDN: dc=ibm,dc=com
Configuring the static client
- Configure two clients.
- One client that generates token.
- Another client that wants to exchange the token for a different token.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
clients:
- client_id: clientTokenExchange
client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA=" # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
client_name: clientTokenExchange # Name of the client.
client_id_issued_at: 1642399207 # Timestamp (in seconds) from when the client is created.
enabled: true # Set to `true` to enable this client
grant_types: # Grant type that the client is allowed to use at the token endpoint.
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
response_types: # Response type that the client is allowed to use at the authorization endpoint.
- code id_token
- code
- code token
- none
- code token id_token
redirect_uris: # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
- https://www.rp.com/redirect
request_uris: # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
- https://www.rp.com/request/test.jwt
scopes: # A list of scope values that the client can use when requesting access tokens.
- cdr:registration
- openid
- profile
jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks
id_token_signed_response_alg: PS512
token_endpoint_auth_method: client_secret_post
token_exchange_settings:
client_groups:
- benefits
- insurance
supported_subject_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
supported_actor_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
supported_requested_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
- client_id: tokenGenerated
client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA=" # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
client_name: tokenGenerated # Name of the client.
client_id_issued_at: 1642399207 # Timestamp (in seconds) from when the client is created.
enabled: true # Set to `true` to enable this client
grant_types: # Grant type that the client is allowed to use at the token endpoint.
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
response_types: # Response type that the client is allowed to use at the authorization endpoint.
- code id_token
- code
- code token
- none
- code token id_token
redirect_uris: # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
- https://www.rp.com/redirect
request_uris: # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
- https://www.rp.com/request/test.jwt
scopes: # A list of scope values that the client can use when requesting access tokens.
- cdr:registration
- openid
- profile
jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks
id_token_signed_response_alg: PS512
token_endpoint_auth_method: client_secret_post
token_exchange_settings:
client_groups:
- benefits
- insurance
supported_subject_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
supported_actor_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
supported_requested_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
client_groups- Clients are logically grouper using client_groups configuration. Clients belonging to the same client_group can exchange tokens generated with another client belonging to the same group.
Token exchange request example
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=clientTokenExchange' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=_RFAfJNeB6H30IfDW1udc271ytq5BG5WwFSTvacNG1g.Oyr-LMYFrGXn9NrLPcTKOvAisGRGYUbtoyLkyD-BZCfNSgbW-EnWpAzRHZXTzMioGK2e9HcM0668nXATCStHWg' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'actor_token=JFQu9BDahuciIVICnLcmTkeMJeng92p38IKD--fsYmo._-ZQpBn6FP-BxraacU0snZdlm4ndnIBPmRHZcWixnleUmJfDhxladSAJMKLidW9-QX4DC1KwsPvX_f16_Keh8g' \
--data-urlencode 'actor_token_type=urn:ietf:params:oauth:token-type:access_token'
NativeApp SSO configuration
Native App SSO is a specification that allows sharing of identity across multiple mobile applications. Native App SSO is not based on session cookie, it extends the OAuth 2.0 Token Exchange specification to share identity (SSO) between apps produced and signed by the same vendor.
Configuring provider.yml
- The definition configuration defines a new grant_type
urn:ietf:params:oauth:grant-type:token-exchange.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
version: 24.08
logging:
level: debug
definition:
id: 1
name: OIDC Definition
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:ietf:params:oauth:grant-type:token-exchange
pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID.
post_mappingrule_id: isvaop_posttoken
base_url: https://isvaop.ibm.com:445/isvaop
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS256 # Signing algorithm for ID token generated.
signing_keystore: isvaop_signing # Signing keystore name.
signing_keylabel: jwtsigning # Signing key label.
attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml
surname: surname
server:
ssl:
key: ks:isvaop_keys/httpserverkey
certificate: ks:isvaop_keys/httpservercert
jwks:
signing_keystore: isvaop_signing
secrets:
obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
enc_key: "@keys/private.pem"
Configuring mapping rule
- A new mapping rule called idmap.js needs to be created.
- This mapping rule can be used to validate the
subjectorsubof the incoming token during token exchange. - Validation can be done by contacting an LDAP to check for the existence of the
subjectorsub.
/**
* Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
*/
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
IDMappingExtUtils.traceString("Entering idmap mapping rule")
IDMappingExtUtils.traceString("sub : " + stsuu.getPrincipalName());
let sub = stsuu.getPrincipalName();
IDMappingExtUtils.traceString("iss: " + stsuu.getAttributeContainer().getAttributeValueByName("iss"));
IDMappingExtUtils.traceString("exp: " + stsuu.getAttributeContainer().getAttributeValueByName("exp"));
//Initializing an ldap connection to search for the sub
var userLookupHelper = new UserLookupHelper("ldap_test_cfg_01");
IDMappingExtUtils.traceString("sub validation for : " + sub);
if(userLookupHelper.isReady()){
var user = userLookupHelper.getUser(sub);
if(user.getId() == null){
IDMappingExtUtils.traceString("sub validation failed for : " + sub);
}
else{
IDMappingExtUtils.traceString("sub validation succeded for : " + sub);
}
}
IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());
Configuring storage.yml
- Based on the above mapping rule, the LDAP connection is referenced by the UserLookupHelper using
ldap_connection. - Update the
ldapcfgconfiguration and the LDAP connection details instorage.yml.
...
server_connections: # Server connections
- name: ldap_srvconn # Connection name
type: ldap # Connection type
hosts: # List of host information (IP and port)
- hostname: openldap # Server's hostname
hostport: 636 # Server's host port
credential: # Credential information to connect to the host.
bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection.
bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs="
# Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
ssl:
certificate: # The SSL connection certificate array.
- ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore.
disable_hostname_verification: false # The SSL connection validates the hostname.
conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
max_pool_size: 50 # Maximum connection pool size.
connect_timeout: 3 # Connect timeout, in seconds.
aged_timeout: 5 # Aged timeout, in seconds.
ldapcfg:
- name: ldap_test_cfg_01
scope: subtree
user_object_classes: top,Person,organizationalPerson,inetOrgPerson
filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
selector: objectClass,cn,sn,givenName,userPassword
srv_conn: ldap_srvconn
attribute: uid
baseDN: dc=ibm,dc=com
Configuring the static client
- Configure two clients.
- One client that generates token.
- Another client that wants to exchange the token for a different token.
urn:x-oath:params:oauth:token-type:device-secretis added as asupported_actor_token_typesin the client configurationdevice_ssois added to the list of scopes supported.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
clients:
- client_id: clientTokenExchange
client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA=" # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
client_name: clientTokenExchange # Name of the client.
client_id_issued_at: 1642399207 # Timestamp (in seconds) from when the client is created.
enabled: true # Set to `true` to enable this client
grant_types: # Grant type that the client is allowed to use at the token endpoint.
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
response_types: # Response type that the client is allowed to use at the authorization endpoint.
- code id_token
- code
- code token
- none
- code token id_token
redirect_uris: # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
- https://www.rp.com/redirect
request_uris: # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
- https://www.rp.com/request/test.jwt
scopes: # A list of scope values that the client can use when requesting access tokens.
- cdr:registration
- openid
- profile
jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks
id_token_signed_response_alg: PS512
token_endpoint_auth_method: client_secret_post
token_exchange_settings:
client_groups:
- benefits
- insurance
supported_subject_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
supported_actor_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
- urn:x-oath:params:oauth:token-type:device-secret
supported_requested_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
- client_id: tokenGenerated
client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA=" # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
client_name: tokenGenerated # Name of the client.
client_id_issued_at: 1642399207 # Timestamp (in seconds) from when the client is created.
enabled: true # Set to `true` to enable this client
grant_types: # Grant type that the client is allowed to use at the token endpoint.
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
- urn:ietf:params:oauth:grant-type:token-exchange
response_types: # Response type that the client is allowed to use at the authorization endpoint.
- code id_token
- code
- code token
- none
- code token id_token
redirect_uris: # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
- https://www.rp.com/redirect
request_uris: # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
- https://www.rp.com/request/test.jwt
scopes: # A list of scope values that the client can use when requesting access tokens.
- cdr:registration
- openid
- profile
- device_sso
jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks
id_token_signed_response_alg: PS512
token_endpoint_auth_method: client_secret_post
token_exchange_settings:
client_groups:
- benefits
- insurance
supported_subject_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
supported_actor_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
- urn:x-oath:params:oauth:token-type:device-secret
supported_requested_token_types:
- urn:ietf:params:oauth:token-type:access_token
- urn:ietf:params:oauth:token-type:refresh_token
- urn:ietf:params:oauth:token-type:id_token
client_groups- Clients are logically grouper using client_groups configuration. Clients belonging to the same client_group can exchange tokens generated with another client belonging to the same group.
Token exchange request example with device_secret
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=clientTokenExchange' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=eyJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHBzZXJ2ZXJrZXkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiYXVxdDRxa3NLcXpYeEhJSXY3MFVxdyIsImF1ZCI6WyJjbGllbnQwMWRwb3AiXSwiYXV0aF90aW1lIjoxNzAyMzQ1MTY1LCJjdXN0b20xIjoiYmN1c3RvbSIsImN1c3RvbTIiOiJiY3VzdG9tIiwiZHNfaGFzaCI6InZfcDZMWjNqVDd5dFRzQkpoOWVweFEiLCJleHAiOjE3MDIzNDg3NjUsImlhdCI6MTcwMjM0NTE2NSwiaXNzIjoiaHR0cHM6Ly93d3cuaWJtLmNvbSIsImp0aSI6IjhhNGZhZGJkLTAyYjMtNDYyZi1iN2Q4LWE2ZWExMzFkNGZjYSIsInJhdCI6MTcwMjM0NTE2NCwicnRfaGFzaCI6ImVrc2duQ1NoOUhoVnAwUHN1Vnl0cWciLCJzaWQiOiIyZWQ2N2ZhYi1mNmRhLTQ5ZGMtYjAwYi0wZWNmZDliN2RmZWQiLCJzdWIiOiJwZXRlciJ9.1tdrA4CeAZoLnqSEzLXfQJGSWacyjYujKGykzjT0gW0hRIL_Gjo_LdrmI5LooaolbMLHbwFdEc2Q_XBc_TKketpcFyqOu8uyCdWCJGgtS3X_Qh2flqOd3NtKrhZbuD5CcGFi0FUQ7gaVYOgDXmFLHBk6OorDLOgBv3wPa9RTSC0JMqQ-phkRfW-08id0VtgOACUdyQqyN8DDEQamp2reHj4D4hb0bayB0My4QOGTsBukubCFUzerZNw_AJiXR4shMQvIFXe_85gZlVhzQ402pn9Sz8kMZZ6BGKwIlHlRtM6jhyFl2t-ETcY8NAmvxAUxSR6gq3DcT5pGPcsBooH2Zw' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
--data-urlencode 'actor_token=PJEef6mv4z9uxdXrns7HpEOnuhPwxPRFA46d8TjXwjQ.zUlg_vF6Ag1P9ndm8EhS7Mpyd4Jd-gMgJk357lv2yvy_N2yOaieIqO7fIh5AzASmCZ0Ujmp87obPnkYT13y-sQ' \
--data-urlencode 'actor_token_type=urn:x-oath:params:oauth:token-type:device-secret' \
--data-urlencode 'audience=https://www.ibm.com'
Revoking the device_secret
- In the scenario where device_secret needs to be revoked (Lost device)
- Either the device_secret and the tokens generated during the authorization code flow can be revoked
- Or the device_secret, the tokens generated during the authorization code and the tokens generated by token exchange can be revoked
- To revoke the device_secret and the tokens generated during the authorization code flow, here is an example of the request.
curl --location 'https://isvaop.ibm.com:445/isvaop/oauth2/revoke' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tokenGenerated' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'token=PJEef6mv4z9uxdXrns7HpEOnuhPwxPRFA46d8TjXwjQ.zUlg_vF6Ag1P9ndm8EhS7Mpyd4Jd-gMgJk357lv2yvy_N2yOaieIqO7fIh5AzASmCZ0Ujmp87obPnkYT13y-sQ'
- To revoke the device_secret, tokens generated during the authorization code flow and tokens generated by token exchange flow, here is an example of the request.
curl --location 'https://isvaop.ibm.com:445/isvaop/oauth2/revoke' \
--header 'deleteAllTokens: true' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tokenGenerated' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'token=PJEef6mv4z9uxdXrns7HpEOnuhPwxPRFA46d8TjXwjQ.zUlg_vF6Ag1P9ndm8EhS7Mpyd4Jd-gMgJk357lv2yvy_N2yOaieIqO7fIh5AzASmCZ0Ujmp87obPnkYT13y-sQ'
Updated 3 months ago